Combining NAP enforcement methods

Which NAP enforcement methods provided with Windows can you use together? Here is a section from the upcoming Network Access Protection Design Guide from our technical writer Greg Lindsay:

Combining NAP Methods

While the steps presented in this guide may imply that each enforcement method will be implemented alone it is possible to use more than one enforcement method simultaneously. An organization might invest additional resources into combining these enforcement methods because they have complementary strengths and weaknesses. NAP with VPN enforcement can be used to enforce organizational compliance policies on remote clients, while IPsec could be used for local clients. 802.1X and IPsec offer a particularly robust combination because together they can restrict network connectivity at multiple layers of the network protocol stack. The following table illustrates potential ways to combine enforcement methods. Keep in mind that the complexity of your NAP deployment can increase when you combine enforcement methods.

 

IPsec

802.1X

VPN

DHCP

IPsec

 

ü

ü

ü

802.1X

ü

 

X

ü

VPN

ü

X

 

X

DHCP

ü

ü

X

 

Table 1: NAP enforcement method combinations.

This information is also published in the "Selecting the Right NAP Architecture" Infrastructure Planning and Design (IPD) guide.

These combinations are from the NAP client’s perspective. A NAP deployment can be configured to support all four NAP enforcement methods. However, a NAP client can only use a subset of them, depending on the nature of its connectivity to the intranet.

For example, a NAP client can obtain an authenticated Layer 2 connection to the network using 802.1X (wired or wireless) or a remote access VPN connection. It does not use both. Therefore, from the NAP client’s perspective, it will not use both the 802.1X and VPN enforcement methods when attempting to access an intranet.

Similarly, a remote access VPN client connection does not use DHCP to obtain an IP address. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Therefore, a NAP client does not use both VPN and DHCP enforcement methods.

Another combination of NAP enforcement methods is 802.1X, DHCP, and IPsec.

NAP Guest Blogger: Joe Davies

Comments